Описание
Security update for subversion
This update for subversion fixes the following issues:
- CVE-2022-24070: Fixed a memory corruption issue in mod_dav_svn as used by Apache HTTP server. This could be exploited by a remote attacker to cause a denial of service (bsc#1197940).
- CVE-2021-28544: Fixed an information leak issue where Subversion servers may reveal the original path of files protected by path-based authorization (bsc#1197939).
The following non-security bugs were fixed:
- Skip failing test on s390[x] (bsc#1198503).
Список пакетов
SUSE Linux Enterprise Software Development Kit 12 SP5
Ссылки
- Link for SUSE-SU-2022:1483-1
- E-Mail link for SUSE-SU-2022:1483-1
- SUSE Security Ratings
- SUSE Bug 1197939
- SUSE Bug 1197940
- SUSE Bug 1198503
- SUSE CVE CVE-2021-28544 page
- SUSE CVE CVE-2022-24070 page
Описание
Apache Subversion SVN authz protected copyfrom paths regression Subversion servers reveal 'copyfrom' paths that should be hidden according to configured path-based authorization (authz) rules. When a node has been copied from a protected location, users with access to the copy can see the 'copyfrom' path of the original. This also reveals the fact that the node was copied. Only the 'copyfrom' path is revealed; not its contents. Both httpd and svnserve servers are vulnerable.
Затронутые продукты
Ссылки
- CVE-2021-28544
- SUSE Bug 1197939
Описание
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.
Затронутые продукты
Ссылки
- CVE-2022-24070
- SUSE Bug 1197940